UPDATED Highly destructive 'ransomware' exploit in Windows

Problems/advice relating to your PC/Mac/Phone/Television/ Satellite TV/DVD/Blu ray......

Moderator: Moderators

Post Reply
pbb
Rank 2
Rank 2
Posts: 32
Joined: Thu 02 Feb 2006 15:30
Contact:

UPDATED Highly destructive 'ransomware' exploit in Windows

Post by pbb » Sun 27 Oct 2013 02:53

19 November 2013 Regarding this exploit, there have been some useful recent developments.

A method of preventing the malware from encrypting user files was developed soon after it first appeared. However this technique could not be employed on Windows Home, Home Basic or Home Premium machines since Microsoft had removed the group policy editor from these Windows variants (thank you M$).

Someone has developed a small program to patch the registry of a Windows machine with the results one would have got had the group policy editor been available. This means that any Windows machine can now be protected automatically against the encryption payload of this ransomware.

Be aware that you should carry out a complete back-up of your system before installing and running this program - patching the registry, even automatically by a program, can fail and result in an unusable machine if you happen to be unlucky.
Also, these changes are made at quite a powerful level of the operating system and, for some users, might result in previously successful programs no longer working! However the application does have an undo button, and an exception/whitelist facility.

This application is available for free download at:

http://www.foolishit.com/vb6-projects/cryptoprevent/ (Careful how you pronounce this!)

There is another potentially useful program that claims to minimise the chances of these types of exploits from being successful. It is available from a well-respected provider of anti-malware solutions - Malwarebytes.

http://www.malwarebytes.org/products/an ... /#overview

Note that this product is still in Beta, and it may become chargeable once it clears Beta testing.

Good luck!


Original Post:


I ought to warn users of this forum that there exists a particularly nasty computer exploit, that first appeared in September, to which a lot of unfortunate PC users have fallen victim.

I won't go into any detail here since it is well covered in the two links below, but, once infected with this new exploit, a PC user will find that all his common data files (e.g. Word, Excel, pictures, music, etc.) have been encrypted and therefore they are no longer usable. The user's machine then displays a warning screen telling him that he has 96 hours to pay a ransom of $100 or $300 if he wants to gain access to his data or he will lose access to it forever when the decryption key is automatically destroyed after the deadline.

The only practical defence for users of Microsoft's Home or Home Premium versions of Windows (almost everyone!) is to be certain that they have a full and up-to-date copy of all their data files on an off-line device (external disk, USB key, DVD's) such that they can restore their files and not need to pay the ransom.

The two links are:

http://windowssecrets.com/top-story/cry ... ous-virus/

http://www.bleepingcomputer.com/virus-r ... nformation

These articles quickly become quite technical, but hopefully they will convince you of the scale of the risks involved if you were to become infected and you didn't have an appropriate level of backup.
Last edited by pbb on Tue 19 Nov 2013 22:47, edited 2 times in total.

Nigel
Rank 5
Rank 5
Posts: 299
Joined: Tue 26 Jun 2007 11:35
Contact:

Post by Nigel » Sun 27 Oct 2013 06:21

Does this virus circumvent anti-virus software ?

User avatar
blackduff
Rank 5
Rank 5
Posts: 850
Joined: Sat 30 Dec 2006 11:32
Contact:

Post by blackduff » Sun 27 Oct 2013 08:58

I was just got wrapped in a similar scam like this. It's requesting 100€ ransom to get my computer working again. It took several days and bags of luck in getting this scum going back to Russia. Safe mode, bringing the files back to a safe version, and any other methods didn't work. Just friggin luck.

I use Norton's super duper and it didn't touch this trojan. I think that the version has PBB mentioned is similar. So, start getting your backup programs up to date.

Blackduff
FACEBOOK THOUGHTS: Remember that old phrase: if you're not paying for it, you're not the customer; you're the product being sold.

pbb
Rank 2
Rank 2
Posts: 32
Joined: Thu 02 Feb 2006 15:30
Contact:

Post by pbb » Sun 27 Oct 2013 09:15

@nigel
You need to read the articles. There is a suggestion that this exploit is not being detected by AV products and it is also suggested that some AV's make the recovery by paying the ransom impossible because they interfere with exploit in some way.
Better to spend 50€ on a large USB key now, and use it, rather than run the risk!

Nigel
Rank 5
Rank 5
Posts: 299
Joined: Tue 26 Jun 2007 11:35
Contact:

Post by Nigel » Sun 27 Oct 2013 18:03

PBB...will do

User avatar
russell
Rank 5
Rank 5
Posts: 1012
Joined: Fri 21 May 2010 16:03
Contact:

Post by russell » Mon 28 Oct 2013 12:28

The ways to avoid this happening as I see it are:

1. If you are running Windows make sure your virus software is updated daily. The major antivirus programs detect this attack.

2. Never click on a link in an email unless you are certain it comes from a reliable source.

3. Back up your data regularly. I have a backup program that does a backup automatically at each boot up.

4. For best security use a Unix based operating system such as MAC (expensive) or Linux (free) instead of Windows.

Russell.[/b]

martyn94
Rank 5
Rank 5
Posts: 2086
Joined: Sun 14 Apr 2013 14:37

Post by martyn94 » Sat 09 Nov 2013 07:08

Or buy a mac. I am a long way from being a "fanboy": I got one because I was brassed off with windows, my desktop was dead, and a friend had a mac mini that seemed to work well. I imitated him and have never regretted it. You can buy second-hand for not very much (though much higher than an old PC if you ever want to resell) and their support for older kit is exemplary.

Post Reply